Armadillo 9.60 unpackme.

Protections: CopyMem II plus DebugBlocker and Memory Patching

Goal1: Find the password to run the file

Goal2: Unpack the file

Armadillo 9.60 Unpackme.rar

Here is a second unpackme with all protection options enabled.

Armadillo 9.60 unpackme.rar

Here is a serial (run with REGISTER commandline)

First unpackme:

GIV

3D2D-2FDC-506C-5FFB

Second unpackme:

a

414C-60F1-2867-AF48

EDIT: attached dump + fixed relocations + deobfuscated code splices

armadillo 9.60 unpackme_dump2_fixed.rar

Edited March 13, 201312 yr by Mr. eXoDia

And the password is?

 

PS1

I wait and the first file unpacked.

Edited March 14, 201312 yr by GIV

@giv: no idea, I just bypassed the password protection. first file has problems xD I must research it more (oep is fine, but the program crashes somewhere in vbm800.dl or something)

Greetings

Armadillo 9.60 unpackme #1

pass:#EE5125BD

unpacked

 

Armadillo 9.60 Unpackme_dump_.rar

Armadillo 9.60 unpackme #1

pass:#EE5125BD

unpacked

Thank you but for me does not work.

Problem.rar

@giv: no idea, I just bypassed the password protection. first file has problems xD I must research it more (oep is fine, but the program crashes somewhere in vbm800.dl or something)

Greetings

Here is what you should get.

First unpackme.rar

@Vovan: nice work, how did you retrieve the password?

Greetings

eXoDia

The password shown is not the real one.

@GIV: it's accepted by arma, so it's the real one

Greetings

@ Mr. eXoDia

You will be a tutorial on how to unpack the version 9.60?

thank

I don't inputed the password like this.

I understand that could be valid in hex and Arma can be fooled but my expectation was else.

Let's say that is accepted...

It remains the first unpackme to be unpacked and fully working.

The Vovan666 for me crash.

Unpackme1 unpacked fix

 

Armadillo 9.60 Unpackme_dump_.rar

Armaredon easily unpacked 

unpacked_.rar

Edited March 15, 201312 yr by converse

Solved!

more valid passwords

log1.rar

Is none from what i have inputed but if the app accepts then is ok.

The original password cannot be restored from crc32

So as long as the password has CRC32 of 11AEDA42, password accepted.  I would assume Arma doesn't have a clue what the original passwd is then, only stores the hash and compare.  Interesting, thanks. 

nice! really want to know how to have the valid passwords

@kakmail: breakpoint at the CRC function of arma (little tricky to find )

Greetings

They are seriously using plain CRC to "hash" the pw?

They are seriously using plain CRC to "hash" the pw?

 

Almost.  I took a look at another example and it's CRC32 JAMCRC

Debug till you are at the password prompt then set BP on USER32.GetWindowTextA

Enter your password and it breaks.

Follow to the RET back and you are in the security section of Arma code.   It will look like this.  Look for the second CALL location below and step in.

 

  CALL    DWORD PTR [929438]            ; USER32.GetDlgItem  PUSH    EAX  CALL    DWORD PTR [929448]            ; USER32.GetWindowTextA  LEA     ECX, DWORD PTR [EBP-11C]  PUSH    ECX  CALL    008FBB40  ADD     ESP, 4  TEST    EAX, EAX  JE      SHORT 008899C8  MOV     EDX, DWORD PTR [94EE70]  MOV     DWORD PTR [EBP-310], EDX  LEA     EAX, DWORD PTR [EBP-11C]  PUSH    EAX  MOV     ECX, DWORD PTR [EBP-310]  CALL    008445A0                        ; F7 Follow me  MOVZX   ECX, AL  TEST    ECX, ECX  JNZ     00889A5B                   ;Flip Z to bypass the password.

 

Scroll down to the RET 4 of that CALL and look for the CMP 

EAX is the CRC of what you typed in, pointer address is the good hash.

  MOV     ECX, DWORD PTR [EBP-4]  ADD     ECX, 1  MOV     DWORD PTR [EBP-4], ECX  MOV     EDX, DWORD PTR [EBP-14]  MOV     EAX, DWORD PTR [EBP-4]  XOR     ECX, ECX  CMP     EAX, DWORD PTR [EDX+5A4]		; CMP CRC JAMCRC  SETE    CL  MOV     AL, CL  MOV     ESP, EBP  POP     EBP  RET     4

Convert the JAMCRC to CRC32 by XOR.  XOR the good password hash with 0xFFFFFFFF.   Now you have a CRC32 hash to brute force.

 

There is another CMP to same pointer just above this one, in the example I used it never took that jump.   Guess you can set a HWBP on both.

@redblkjck: I knew password protection was easy to bypass (just make the "Enter Password" window return 1) but I thought it was at least md5...

This is my code from 2011 to bypass the password protection:

HWND password=0;const char* caption="Enter Password";//Loop untill a dialog with the caption pops up...while(password==0){    password=FindWindow(0, caption);    Sleep(100);}//Set the return code of the dialog before we end it.SetPropA(password, "_EndDialogRetCode", HANDLE(1));//The actual 'patch' this makes Armadillo think the dialog is ended.SetPropA(password, "_EndDialog", HANDLE(1));

EDIT:

@Vovan: your unpack doesn't work on win7 unfortunately...

Greetings

Edited March 16, 201312 yr by Mr. eXoDia